Privilege Reference

Manage an Organization Coveo Relevance Cloud System Administrator Product Documentation

In this article

Analytics Service
Commerce Service
Content Service
Customer Service
Machine Learning Service
Organization Service
Search Service

In the Coveo privilege system, each domain can be associated to one or more access levels to form a privilege, which allows an API key or a group of users to perform certain operations in the Coveo Administration Console (see Manage Privileges and Navigate the Privileges Tab).

However, although many domains offer a View and an Edit access level, the abilities represented by these access levels may differ from domain to domain. Some domains also offer different access level options such as Allowed or Push. So, to help you grant the appropriate privilege to groups of users or API keys, this page details what your grantee can do when granted each access level option for each domain. In the Coveo Administration Console, domains of privilege are grouped by service, and this page uses the same arrangement. Use the In this article menu on the right-hand side of the page to browse the services and domains.

The operation of granting privileges isn’t to be taken lightly, as insufficient privileges can hinder task accomplishment, while inadequate or unnecessary privileges could lead to accidents or misuse. When allowed to delegate powers, you should have a good understanding of how the Coveo privilege system works and be well aware of the implications of each choice you make. In this regard, we recommend thoroughly reading the privilege documentation before granting privileges or editing a privilege set, and enforcing the principle of least privilege, i.e., granting just enough privileges for the grantee to perform their tasks (see Manage privileges and Principle of Least Privilege).

In the tables below, the typical grantees associated to a privilege are mostly the built-in groups that are granted this access level by default. However, they could also include typical groups of users that should have the privilege granted to them (e.g., support agents). Members of the Administrators group are always granted the highest access level. Similarly, the Typical grantee column shows which API key presets are granted each access level.

Analytics Service

Administrate Domain

Access level

Grantee abilities

Typical grantees

Allowed

Manage the organization usage analytics data:
- Add and delete test usage analytics data in the account
- Edit, get, delete, and disable the organization account
Define IP addresses whose events are flagged as internal

This privilege is especially potent since grantees can delete usage analytics data and could inadvertently corrupt it as well.

Administrators
Admin API keys
Analytics API keys

Analytics Data Domain

Access level	Grantee abilities	Typical grantees
View	View reports (see Manage Usage Analytics Reports) View dimensions (see Manage Dimensions on Custom Metadata) View named filters (see Manage Named Filters) View permission filters (see Manage Permission Filters) View usage analytics data exports (see Manage Data Exports)	Analytics managers Analytics viewers Relevance managers Admin API keys Monitoring API keys
Push	Send analytics events to Coveo Usage Analytics (Coveo UA) (see Manage API Keys)	OAuth tokens, API keys, and search tokens assigned to a process such as a search interface Anonymous search API keys Search API keys
Push and view	View reports (see Manage Usage Analytics Reports) View dimensions (see Manage Dimensions on Custom Metadata) View named filters (see Manage Named Filters) View permission filters (see Manage Permission Filters) View usage analytics data exports (see Manage Data Exports) Send analytics events to Coveo UA (see Manage API Keys)	Administrators Analytics API keys

Data Exports Domain

The Data exports domain access levels are ineffective without the View access level on the Analytics data domain (see Analytics Data Domain).

Access level	Grantee abilities	Typical grantees
View	View and download usage analytics data exports containing clicks, groups, keywords, searches, and custom events meeting the specified criteria for a specific date range (see Manage Data Exports)	Monitoring API keys
Edit	Add, edit, or delete analytics data exports from the specified user visits (see Manage Data Exports) Review user visits (see Review User Visits With the Visit Browser)	Administrators Analytics managers Analytics viewers Relevance managers Admin API keys Analytics API keys

Data Health Domain

The Data Health domain access level is ineffective without the View access level on the Tableau Reports domain.

Access level	Grantee abilities	Typical grantees
View	View organizational data health for a specific date range.	Administrators

Delete User Data Domain

Access level

Grantee abilities

Typical grantees

Allowed

Delete usage analytics user data

This privilege is especially potent since grantees can delete usage analytics user data. This can break existing reports and also render some data sets inaccurate.

Administrators
Admin API keys
Analytics API keys

Dimensions Domain

The Dimensions domain access levels are ineffective without the View access level on the Analytics data domain (see Analytics Data Domain).

Access level	Grantee abilities	Typical grantees
View	View dimensions (see Manage Dimensions on Custom Metadata) View reports (see Manage Usage Analytics Reports) View named filters (see Manage Named Filters) View permission filters (see Manage Permission Filters)	Analytics viewers Monitoring API keys
Edit	Add, edit, or delete dimensions created by Coveo organization members (see Manage Dimensions on Custom Metadata)	Administrators Analytics managers Admin API keys

Impersonate Domain

Access level	Grantee abilities	Typical grantees
Allowed	Allow a custom process or bot to push usage analytics events with different identities	Administrators Admin API keys Analytics API keys

Incoherent Events Domain

Access level	Grantee abilities	Typical grantees
View	View incoherent events (see Review Incoherent Usage Analytics Events)	Administrators Admin API keys Analytics API keys Monitoring API keys

Named Filters Domain

The Named filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).

Access level	Grantee abilities	Typical grantees
View	View named filters (see Manage Named Filters)	Analytics viewers Monitoring API keys
Edit	Add, edit, or delete named filters (see Manage Named Filters)	Administrators Analytics managers Relevance managers Admin API keys Analytics API keys

Permission Filters Domain

The Permission filters domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).

Access level

Grantee abilities

Typical grantees

View

View permission filters restricting the usage analytics data that analysts can review in reports (see Manage permission filters)

Without the View access level, you can’t see the permissions filters that are assigned to your identity in reports.

Analytics viewers
Analytics managers
Relevance managers
Monitoring API keys

Edit

Add, edit, or delete permission filters (see Manage permission filters)

The Edit access level is ineffective without the View access level on the Groups domain (see Groups domain).

Administrators
Admin API keys
Analytics API keys

Reports Domain

The Reports domain access levels are ineffective without the View access level on the Analytics data and Dimensions domains (see Analytics Data Domain and Dimensions Domain).

Access level

Grantee abilities

Typical grantees

View

View usage analytics reports (see Review and manage dashboards and Review and manage explorers)

Analytics viewers
Monitoring API keys

Edit

Add, edit, or delete usage analytics reports (see Manage usage analytics reports)

The Edit access level is ineffective without the Allowed access level on the Administrate domain (see Administrate domain).

Administrators
Analytics managers
Relevance managers
Admin API keys
Analytics API keys

Snowflake Management Domain

The Edit access level is ineffective without the Allowed access level on the Administrate domain.

Access level	Grantee abilities	Typical grantees
View	View and export usage analytics data through the Snowflake Reader Account View Snowflake reader account monthly credit consumption	Administrators Analytics managers Analytics viewers Relevance managers Monitoring API keys
Edit	Add or edit Snowflake reader accounts Add or block IP addresses Share Data with other Snowflake accounts	Administrators Analytics managers Relevance managers Admin API keys Analytics API keys

Tableau Reports Domain

The Tableau Reports domain access level is ineffective without the View access level on the Analytics Data and the Reports domains.

Access level	Grantee abilities	Typical grantees
View	View advanced reports	Administrators Monitoring API keys

View All Reports Domain

Access level

Grantee abilities

Typical grantees

Allowed

View all reports, regardless of report accesses (see Manage Access to Usage Analytics Reports). Members that don’t have this access level can only review the reports they’re explicitly allowed to access.

This privilege is especially potent since grantees bypass report permissions and could therefore access sensitive information that they wouldn’t be allowed to access otherwise.

Administrators
Analytics managers
Admin API keys
View all reports

Commerce Service

Catalog Domain

Access level	Grantee abilities	Typical grantees
View	View catalogs and catalog configuration	Monitoring API keys
Edit	Add, edit, or delete catalogs	Administrators Admin API keys

Product Listing Domain

Access level	Grantee abilities	Typical grantees
View	View product listings	Monitoring API keys
Edit	Add, edit, or delete product listings	Administrators Admin API keys

Content Service

Connectivity Diagnostic Logs Domain

Access level	Grantee abilities	Typical grantees
View	Download update logs	Administrators Content managers Admin API keys Monitoring API keys

Crawling Module Domain

Access level

Grantee abilities

Typical grantees

View

Access the Crawling Modules (platform-ca | platform-eu | platform-au) page (see Monitor the Crawling Module)
When you see create or edit a source, this privilege allows you to select the Crawling Module instance responsible for crawling this source.

Content managers
Users
Monitoring API keys

Only content managers and users of organizations created after November 19th, 2019 are granted this privilege by default. Content managers and users of older organizations can be granted this privilege manually if needed (see Grant privileges).

Edit

This access level allows a Crawling Module instance to report its status to Coveo (see Monitor the Crawling Module). Granting this access level to groups of users doesn’t give them any additional capabilities.

Administrators
Admin API keys
Crawling Module API keys

Administrators are granted the highest access level for all domains, including Crawling Module. However, in this case, having the Edit access level instead of View doesn’t grant them any additional capabilities. It only makes a difference for Crawling Module API keys, which require the Edit access level (see Coveo on-premises crawling module).

Crawling Module Log Request

Access level

Grantee abilities

Typical grantees

View

Granting this privilege to groups of users or API keys doesn’t give them any additional capabilities.

Edit

Download Crawling Module logs from the Activity panel

This privilege is especially potent since grantees can use it to access logs that are normally available to the host server’s administrators only. Although the logs contain no sensitive information such as passwords and no indexed content, they still show the hostname of the Crawling Module host server, the accessed URLs, etc.

Administrators
Admin API keys

Extensions Domain

Access level		Grantee abilities	Typical grantees
View all		View the code and usage statistics of available extensions assigned to sources. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions).	Monitoring API keys
Custom	View	View the code and usage statistics of the specified extensions. This is especially useful when troubleshooting cases such as item indexing issues (see Manage Extensions).
Custom	Edit	Add code snippets to apply transformations to included items such as adding or modifying metadata (see Add or Edit Indexing Pipeline Extensions). We recommend that you grant this privilege to developers only.
Edit all		Add code snippets to apply transformations to included items such as adding or modifying metadata (see Add or Edit Indexing Pipeline Extensions). We recommend that you grant this privilege to developers only.	Administrators Content managers Admin API keys

Fields Domain

Access level	Grantee abilities	Typical grantees
View	View fields and field configuration (see Manage Fields)	Users Monitoring API keys
Edit	Add, edit, or delete fields (see Manage Fields) Add, update, or delete fields in batches (see Creating Fields)	Administrators Content managers Admin API keys

Logical Indexes Domain

Access level	Grantee abilities	Typical grantees
View	When your organization has more than one index: On the Sources page, see in which index the content of each source is stored (see Manage Your Organization Indexes). When adding a source, select the index in which the retrieved content will be stored.	Monitoring API keys
Edit	Required to use an upcoming feature. Granting this access level to groups of users doesn't give them any additional capabilities yet.	Administrators Content managers Admin API keys

Security Identities Domain

The Security identities domain access levels are ineffective without the View access level on the Security identity providers domain (see Security Identity Providers Domain).

Access level	Grantee abilities	Typical grantees
View	View security identity provider update status, statistics, and refresh schedule (see Manage Security Identities) View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics) View the permissions and effective permissions on Coveo organization items (see Review Item Properties) View security identities and their status inside each security provider	Monitoring API keys
Edit	Only required by certain API calls (e.g., enable all disabled entities in security cache). Granting this access level to groups of users doesn't give them any additional capabilities.	Administrators Admin API keys

Security Identity Providers Domain

Access level	Grantee abilities	Typical grantees
View	View security identity provider update status, statistics, and refresh schedule (see Manage Security Identities) View security identity provider references such as provider IDs and the sources that use each provider (see Review Additional Statistics) View security identities and their status inside each security provider	Monitoring API keys
Edit	Refresh security identity providers Configure security identity refresh schedules Edit a security identity provider	Administrators Admin API keys

Source Metadata Domain

Access level

Grantee abilities

Typical grantees

View

View a sample of the metadata discovered while indexing your source.

This privilege is especially potent since grantees bypass the content permissions of the sources they can edit. They can therefore access sensitive index content that they can’t normally access in the original repository.

Administrators
Admin API keys

Sources Domain

Notes

To review source content in the Content Browser, you must have the Allowed access level on the Execute queries domain (see Inspect Items With the Content Browser and Execute Queries Domain).
Unlike for other resources, the ability to create sources can be granted without the Edit access level. You can therefore grant a group or API key the View all or Custom access level for the Sources domain and check the Can Create check box to allow users to create resources in this domain.

Access level		Grantee abilities	Typical grantees
View all		View all sources (see Manage Sources) View configuration of all sources View all source logs (see Log Browser) Subscribe to source notifications (see User Notifications)	Users
Custom	View	View source (see Manage Sources) View source configuration View source logs (see Log Browser) Subscribe to source notifications (see User Notifications)	Monitoring API keys
Custom	Edit	Edit or delete specific sources (see Add or Edit a Source) Schedule source updates Edit specific source mappings (see Manage Source Mappings) Launch, pause, resume, and cancel specific source updates (see Refresh, Rescan, or Rebuild Sources) Use the push API to send content to Coveo (see Use the Push API) Subscribe to source notifications (see User Notifications)	Monitoring API keys
Edit all		Add sources Edit or delete all sources Edit all source refresh schedules (see Schedule a Source Update) Edit all source mappings (see Manage Source Mappings) Launch, pause, resume, and cancel all source updates (see Refresh, Rescan, or Rebuild Sources) Use the push API to send content to Coveo (see Use the Push API) Subscribe to source notifications (see User Notifications)	Administrators Content managers Admin API keys

Customer Service

Case Assist Configuration Domain

Access level	Grantee abilities	Typical grantees
View	View elements of the Case Assist (platform-ca \| platform-eu \| platform-au) page	Monitoring API keys
Edit	Manage elements of the Case Assist (platform-ca \| platform-eu \| platform-au) page	Administrators Admin API keys

Use Case Assist Domain

Access level	Grantee abilities	Typical grantees
Allowed	Leverage case assist configurations in support cases	Administrators Content managers Relevance managers Users

Insight Panel Configuration Domain

Access level	Grantee abilities	Typical grantees
View	View elements of the Insight Panel (platform-ca \| platform-eu \| platform-au) page	Monitoring API keys
Edit	Manage elements of the Insight Panel (platform-ca \| platform-eu \| platform-au) page	Administrators Admin API keys

Insight Panel Interface Domain

Access level	Grantee abilities	Typical grantees
View	View an Insight Panel interface in a Customer Relationship Management (CRM) system	Monitoring API keys
Edit	Create, update, or delete an Insight Panel interface	Administrators Admin API keys

Insight Panel Items Domain

Access level	Grantee abilities	Typical grantees
View	View items that are relevant to a case in an Insight Panel interface.	Administrators Support agents Admin API keys Monitoring API keys

Machine Learning Service

Allow Content Preview Domain

Access level

Grantee abilities

Typical grantees

Enable

Inspect the resources available to create content-based Coveo Machine Learning models.

This privilege gives grantees indirect access to index content. Grantees could therefore have access to sensitive content to which they wouldn’t have under normal conditions.

Administrators
Relevance managers
Admin API keys

Models Domain

Access level	Grantee abilities	Typical grantees
View	View Coveo Machine Learning models	Monitoring API keys
Edit	Add, edit, or delete machine learning models, and therefore optimize search results relevance and search experience in general (see Manage Machine Learning Models).	Administrators Relevance managers Admin API keys

User Profiles Domain

Access level	Grantee abilities	Typical grantees
View	View the Coveo Machine Learning user profile made for each user or visitor ID	Monitoring API keys
Edit	Edit the Coveo Machine Learning user profile made for each user or visitor ID	Administrators Admin API keys

Organization Service

API Keys Domain

Note

This domain is only available when configuring groups, as API keys can’t be granted the privilege to view or edit other API keys (see Manage Member Groups).

Access level		Grantee abilities	Typical grantees
View all		View in read-only mode the configuration of all API keys (see Manage API Keys)	Content managers Relevance managers Monitoring API keys
Custom	View	View in read-only mode the configuration of specific API keys (see Manage API Keys)
Custom	Edit	Edit, delete, activate, and disable specific API keys (see Manage API Keys and Custom Access Level)
Edit all		Add, edit, delete, activate, and disable all API keys (see Manage API Keys and Custom Access Level)	Administrators Admin API keys

Activities Domain

Access level

Grantee abilities

Typical grantees

View

View all organization activities (see Review all events related to Coveo Administration Console Resources)

A member with the View access level could see activities from Administration Console pages for which they’re not granted any access levels.

Content managers
Relevance managers
Monitoring API keys

Edit

Send custom activities to Coveo (see Add or edit a Push source)

Administrators
Admin API keys

Elasticsearch Indexes Domain

Note

This domain is only available in organizations with an Elasticsearch index.

Access level		Grantee abilities	Typical grantees
View		View index status (see Index Status) View index details (see Review Index Details)
Edit		Add an index (see Add an Index) Edit the JSON configuration of an index (see Edit an Index JSON Configuration)	Administrators

Critical Updates Domain

Access level		Grantee abilities	Typical grantees
View		Access the list of available critical updates	Monitoring API keys
Edit		Enable/disable critical updates in the organization	Administrators Admin API keys

Groups Domain

Leading practice

Grant the Edit or Edit all access level for the Groups domain only to a few people, ideally the authority in your company that manages access rights in corporate systems.

Access level		Grantee abilities	Typical grantees
View all		View all groups, including their privileges (see Manage Member Groups) View organization members (see Manage Members)	Analytics managers Monitoring
Custom	View	View groups, including their privileges (see Manage Member Groups)	Content managers Relevance managers
Custom	Edit	Copy, edit, or delete groups and members (see Duplicate a Group, Edit a Group, and Delete a Group) Edit group member privileges (see Privileges Tab) Send invitations to users (see Create a New Group and Manage Members)	Relevance managers
Edit all		Copy, edit, or delete all groups and their members (see Duplicate a Group, Edit a Group, and Delete a Group) Edit privileges of all groups (see Privileges Tab) Send invitations to users (see Create a New Group and Manage Members)	Administrators Admin API keys

For the above grantees, by default, members of the Relevance Managers built-in group can edit this group only. This allows them to invite other people in the Relevance Managers group, but not in other groups.

The Edit all access level is especially potent since grantees can use it to add anyone, including themselves, to any organization group. This can lead to privilege escalation

Link Domain

See Privileges Required to Manage Snapshots for details on the privileges you need to use the resource snapshot feature.

Access level		Grantee abilities	Typical grantees
View		Validate a resource snapshot View changes to apply	Monitoring API keys
Edit		Match analogous resources	Administrators Admin API keys

Notifications Domain

Access level		Grantee abilities	Typical grantees
View		View organization notifications (see Manage Notifications)	Monitoring API keys
Edit		Edit and delete organization notifications (see Manage Notifications)	Administrators Admin API keys

On-Premises Administration Domain

The privileges of this domain are required by the Coveo On-Premises Crawling Module API keys only (see Coveo On-Premises Crawling Module and Manage API Keys). Granting these privileges to groups of users doesn’t give them any additional capabilities.

Access level

Grantee abilities

Typical grantees

View

Monitoring API keys

Edit

This access level, when granted to a Coveo On-Premises Crawling Module API key, allows the Crawling Module to communicate with Coveo (see Coveo On-Premises Crawling Module and Manage API Keys). Granting it to users or groups doesn’t give them any additional capabilities.

Administrators
Admin API keys
Crawlng Module API keys

Administrators are granted the highest access level for all domains, including On-Premises Organization. However, in this case, having the Edit access level instead of View doesn’t grant them any additional capabilities. It only makes a difference for Crawling Module API keys, which require the Edit access level (see Coveo On-Premises Crawling Module).

Organization Domain

Access level Grantee abilities Typical grantees

View

Access the Coveo Administration Console (see Minimum privilege and Coveo Administration Console)

The granted ability to access the Administration Console only applies to groups of users and is irrelevant for API keys.
Without the View access level, an organization member gets the following message when trying to log in to the Administration Console (see Logging in to Coveo):

Insufficient Privileges - You currently have insufficient privileges to access the Coveo Administration Console of the [OrganizationName] organization. Contact an administrator of the [OrganizationName] organization to change your privileges, or select an organization to which you have access through the Coveo Administration Console.

View the Coveo license details and limits, as well as the organization basic information

Analytics managers
Analytics viewers
Content managers
Relevance managers
Users
Monitoring API keys

Edit

Administrators
Admin API keys

Single Sign-On Identity Provider Domain

Access level		Grantee abilities	Typical grantees
View		View the organization's single sign-on configuration	Monitoring API keys
Edit		Configure single sign-on for the organization	Administrators Admin API keys

Snapshots Domain

See Privileges Required to Manage Snapshots for details on the privileges you need to use the resource snapshot feature.

Access level		Grantee abilities	Typical grantees
View		View the snapshots in the organization Copy or download a snapshot Validate a snapshot View changes to apply Match analogous resources	Monitoring API keys
Edit		Create a snapshot Export a snapshot to a different organization Apply a snapshot Delete a snapshot	Administrators Analytics managers Content managers Relevance managers Admin API keys

Temporary Access Domain

Access level		Grantee abilities	Typical grantees
View		View who at Coveo has asked for and been granted temporary access to your organization, as well as the privileges they were granted	Monitoring API keys
Edit		Revoke temporary access to your organization	Administrators Admin API keys

Vault Entry Domain

See Privileges Required to Manage Snapshots for details on the privileges you need to use the resource snapshot feature.

Note

To import sensitive information in your destination organization, you must have both of the following privileges:

The View access level on the Vault entry domain in the origin organization.
The Edit access level on the Vault entry domain in the destination organization.

Access level		Grantee abilities	Typical grantees
View		Import sensitive information (in the origin organization)	Analytics managers Content managers Relevance managers Monitoring API keys
Edit		Apply a snapshot, if it contains sensitive information Import sensitive information (in the destination organization)	Administrators Admin API keys

Search Service

Execute Queries Domain

Access level	Grantee abilities	Typical grantees
Allowed	For organization members and API keys to send queries and get search results in search pages connected to their Coveo organization (see Searching With Coveo)	Administrators Content managers Relevance managers Users Anonymous search API keys

Expression Validation Result Domain

Required to use an upcoming feature. Granting privileges on this domain doesn’t give the grantee any additional capabilities yet.

Impersonate Domain

Access level

Grantee abilities

Typical grantees

Allowed

Obtain a search token for a search interface that replicates a permission system to perform queries with the end-user identity and return only results the user is authorized to see.

This privilege is especially potent since grantees can impersonate any user and access in search results the content accessible to this user. Grantees could therefore access sensitive items that they can’t normally access in the original repositories.

Administrators
Search API keys

Modify Authentication Provider Domain

Access level	Grantee abilities	Typical grantees
Allowed	Manage authentication for sources that index permissions, such as when they're secured with SharePoint claims-based identities	Administrators Admin API keys

Query Logs Domain

Access level	Grantee abilities	Typical grantees
View	In your consumption dashboard, download a list of the queries performed in a hub during a certain month	Administrators Admin API keys Monitoring API keys

Query Pipelines Domain

Access level		Grantee abilities	Typical grantees
View all		View query pipelines (see What's a Query Pipeline? and Manage Query Pipelines) View query pipeline rules View query pipeline rule conditions (see Manage Query Pipeline Rules and Rule Conditions From Tabs) View A/B tests (see Manage A/B Tests)	Monitoring API keys
Custom	View	View query pipeline (see What's a Query Pipeline? and Manage Query Pipelines) View query pipeline rules View query pipeline rule condition (see Manage Query Pipeline Rules and Rule Conditions From Tabs) View A/B test (see Manage A/B Tests)
Custom	Edit	Edit or delete specific query pipelines (see What's a Query Pipeline? and Manage Query Pipelines) Edit or delete specific query pipeline rules (see Manage Query Pipeline Rules and Rule Conditions From Tabs) Edit or delete specific query pipeline rule conditions (see Manage Query Pipeline Rules and Rule Conditions From Tabs) Edit or delete specific A/B tests (see Manage A/B Tests)
Edit all		Optimize results relevance and search experience in general: Add, edit, or delete all query pipelines (see What's a Query Pipeline? and Manage Query Pipelines) Add, edit, or delete all query pipeline rules (see Manage Query Pipeline Rules and Rule Conditions From Tabs) Add, edit, or delete all query pipeline rule conditions (see Manage Query Pipeline Rules and Rule Conditions From Tabs) Add, edit, or delete all A/B tests (see Manage A/B Tests)	Administrators Relevance managers Admin API keys

Salesforce Index Configuration Domain

Access level

Grantee abilities

Typical grantees

View

Monitoring API keys

Edit

Link a Coveo organization to a Salesforce organization that uses a Salesforce index

Administrators
Admin API keys

Search Pages Domain

Access level		Grantee abilities	Typical grantees
View all		Access all the search pages hosted by the Coveo organization	Users Monitoring API keys
Custom	View	None yet. Custom search page privileges will be available following an upcoming release.
Custom	Edit	None yet. Custom search page privileges will be available following an upcoming release.
Edit all		Add or delete all hosted search pages Customize all search page interfaces	Administrators Admin API keys

The Edit all access level is a sensitive privilege which is typically granted only to administrators. This privilege should remain limited to avoid being exploited by malicious users who could enter unwanted code and put search page users at risk.

Search Usage Metrics Domain

Access level		Grantee abilities	Typical grantees
View		View the Consumption dashboard	Relevance managers Monitoring API keys
Edit		Edit the entitlement metric of a search hub in the Consumption dashboard	Administrators Admin API keys

View All Content Domain

Access level

Grantee abilities

Typical grantees

Allowed

Browse all the content of a Coveo organization index, and therefore be able to troubleshoot search issues (see Inspect Items With the Content Browser)

This privilege is especially potent since grantees bypass the content permissions and could therefore access sensitive items that they can’t normally access in the original repositories.

Administrators